We're going to get going a couple of minutes early because I've got an important public
service announcement. Last year we received a note from an attendee ‑‑ sorry, a human.
This was my first DEF CON and I really enjoyed the conference. But I found all this swearing
very upsetting. I think this lowers the quality of the conference and truly offends many people.
Andy. Well, Andy, I want you to know that we take this very seriously at DEF CON. And
the following phrases are now banned. Fuck, fuck you, fuck off, what the fuck is your
problem, no, I do not know who the fuck you are, what the fuck, and fuck you, you fucking
fucks. Thank you, Andy, for bringing this to our attention.
Oh, one last thing. We are the speaker goons. We're the guys that get these drunk
people. We're the guys that get these drunk people. We're the guys that get these drunk
people up here to speak to you. We have ‑‑ our motto is AMF yo, yo. Because when the
speakers give us a problem, we say adios, motherfucker, you're on your own.
We are, of course, looking for a replacement phrase now because we can't use that one anymore.
So if you have any ideas, bring them over to the speaker room.
We have another tradition here at DEF CON. Both Tim and Ryan are new speakers. They've
never spoken at DEF CON before. So if I could get some help up here.
Grab a cup, gentlemen. Grab a cup.
.
.
.
.
.
.
.
.
.
.
.
.
That's not what she said.
So those three are mine, right?
Take that.
Give that to him.
You know, more and more people keep coming out for this tradition.
Cheers.
But he doesn't have one.
You don't have one.
Take one.
All right.
Cheers, gentlemen.
Cheers.
Have a good talk.
Congratulations on many speaking opportunities.
Thanks for the introduction.
So for those of you that don't know me, my name is Ryan Smith, and this is Tim Shaziri.
We are both security engineers at Lookout.
At Lookout, Lookout provides mobile security for both iPhone and Android, and we have about
45 million users around the world.
On which we get to see security events and help protect them.
So with this, we see a lot of trends.
We also have another acquisition system where we're able to acquire essentially all the
Android applications that are in propagation and distribution around the world.
So with this, we see a couple of trends.
When you have millions of applications, it's very difficult to track each individual set
of applications.
And one of the trends that we've seen is Russian SMS fraud.
SMS fraud.
SMS fraud is something that's not new.
We've been tracking it for about three years.
But over the last three years, we've seen two trends.
One is a rise in sophistication of the code.
More obfuscation.
More attempts to evade detection.
And also a large, very steep increase in volume.
So those trends have led us to this talk called Dragon Lady.
The title of Dragon Lady comes from the code name for the U2 aerial reconnaissance vehicle
that was used to observe Soviet activities during the Cold War through adverse conditions,
through weather.
And their motto was, in God we trust, all others we monitor.
So who are we?
So my name is Ryan Smith.
I'm a senior security researcher at Lookout.
I've been a member of the HoneyNet project for the past ten years where I've learned
a lot of skills.
And I stand on the shoulder of the U2 aerial reconnaissance vehicle.
I'm a member of many giants within the organization.
And I previously worked on X86 reverse engineering, so automated shell code unpacking and malware
sandboxing.
Previously I've spoke at AppSec and IEEE Hicks.
And as you guys all know, this is my first time at DEF CON.
So Tim Shazier, I'm going to hand the talk off for him for now.
But another note, this is Tim's birthday today.
So if you see this guy around.
Feel free to give him as many shots as you like.
Thanks for throwing me under the bus, Ryan.
So I'm Tim Shazier.
You can just call me Diff.
I'm the different Tim at work for many different reasons.
So just call me Diff, whatever, when we're going to drink at the bar.
I'll buy you guys a shot if you buy me a shot.
Everyone.
That goes out to everyone.
So I'm the lead research and response engineer at Lookout.
Basically we get to take apart malware all the time.
It's basically a dream job.
If you guys are interested, come talk to me afterwards.
We'll hook you up with a dream job.
I'm kind of known for the Android market and bashing my head against the wall and trying
to figure that out for a very long time.
I'm also probably the jerk who's responded to you on mailing lists if you ever ask questions
about this.
I'm a big junkie for reversing mobile malware.
If you guys haven't looked into it, I suggest this to everyone I meet.
It's really interesting because not only like when people are engineering applications
for mobile.
They have to worry about battery.
Is the connectivity dropping?
It's really interesting from a mobile malware perspective of, you know, you're trying to
create ‑‑ someone out there is trying to create a bot net and also trying to work
through those ebb and flows of is the network down?
Where is this person that I've infected?
It ends up being really interesting twist to the problem of malware.
And I've spoken at previous places mainly about anti‑analysis, decompilation and emulation.
So why are you here and why do you care about what we're talking about?
Okay.
So the deep dive, we really wanted to go and do this case study about Russian malware
because you see lots of headlines out there and they're really misleading or they're interesting
because there's numbers and percentages.
But percentages lie.
There's an increase of things.
Like just giving a percentage of saying, like, it increased a thousand percent, what does
that even mean?
Does that mean you went from, like, zero samples to having ten samples or something like that?
So we wanted to quantify and actually dig down and say, like, what is the difference?
We're not just basing this off of total numbers of files that we see.
Another thing is when you look at samples in the wild, AV companies usually distinguish
samples by there's a hash.
So when a unique file comes across the table, they say we have a new sample.
But when you look into the code of those, sometimes there's absolutely no difference
in the actual file.
So if you're just going to go out there and grab 10,000 samples but they do exactly the
same thing, there's really no differences except for maybe a few modified flags, it
kind of makes you ‑‑ lets you boost up your number if you want to, but it doesn't
really help you solve the problem at hand or actually understand the problem.
And then another reason was we see a lot of things coming out of Russia and everyone
just says it's Russian toll fraud and it's called fake installer and they kind of just
throw everything into it and it's like, well, it sends SMS, therefore it's the same thing.
It's not true once you start digging into the actual technicality of it.
So as I said, a new hash is not always a new sample, and this was an example I just pulled
up from what we did.
This is what we call alpha SMS, and I had three APK files, which is essentially a zip
file, and you get the SHA1 sum of those.
The SHA1 sum ends up being something different.
So a lot of people at this point might say I have three different samples and these are
three different infections and now I have three things instead of one.
But once you start pulling these apart, you end up seeing the classes.dex, which is essentially
where all that code lays for an Android application, they're all exactly the same.
And Ryan will go into depth on this, but basically if I pull this open in a hex editor and I'm
looking at a zip template, as you can see, the actual times of when these were packaged
are different.
And that's the only difference in here.
There's also a configuration file for when the affiliates were going through.
So different affiliates have different affiliate configurations, but the code is actually identical.
So these samples are exactly identical.
They just belong to different affiliates.
So that's interesting in its own case.
But you need to understand that.
You need to understand this difference instead of just saying I have three different pieces
of malware here.
The basic families that we went through were we ended up breaking up the Russian malware
into alpha SMS, bad news, which is actually a recent one we just blogged about.
This one was specifically interesting because it was basically around the ‑‑ it was
an ad SDK that these malware authors were attempting to get developers to use inside
their applications.
Then we also have connect SMS.
We also have at the bottom ‑‑ this is not a toll fraud, but it is a Russian malware,
not compatible, which I'll touch upon a little bit later.
As you can see, they all send SMS except for the bottom.
But they do have other features sometimes in there, like downloading applications, trying
to install those applications or suggesting that a user install that application.
A lot of them exfiltrate personally identifiable information, so that's stealing your contacts,
or attempting to look at your web browser history.
And then it was also interesting to notice that some of these people were using obfuscation.
It was all not off‑the‑shelf obfuscation.
So it was all this custom‑made stuff that we're seeing.
And you can actually see that between the different groups, they started sharing obfuscation
techniques.
And we thought this was important because, as you see, lots of people just say all those
different families that have different feature sets and they also have different ways of infecting
people and different feature sets, basically a lot of people just say, well, it's Russian
SMS.
Who cares?
Like, let's just group it all into one.
And you kind of miss the big picture of who's doing this and what they're actually attempting
to go for.
So as we were going through, just specifically I was looking at Connect SMS, and I went through
our archives of samples, and I pulled randomly ‑‑ I pulled a sample from A, F, P, and S.
And so these are all different variants of the same family.
And it ended up looking pretty interesting.
You can see the package by date, when these were actually created by the malware author.
And then the first instance actually just had no obfuscation in there.
It was really simple.
Basically you open up this application and it just sends an SMS, and that's all.
There's debug information in there, which ended up being kind of interesting because
this means they didn't run ProGuard, they didn't run DexGuard, and they just had all
this extra metadata sitting there in their application.
Later on in F, we actually saw this is ‑‑ it was packaged a few months ago.
A few months afterwards, they started adding more SMS endpoints and actually extracted
that into a configuration file.
So it wasn't just sending hard coded SMS, and it actually had all the SMS endpoints
and the URLs started becoming encrypted in that external file.
They also added contact exfiltration, which was interesting because they weren't actually
spamming your contacts, but they're sending that off to a third party server.
So it was just an interesting way to see this sample evolve.
Later down the road.
In code, we still see the SMS endpoints and the URLs encrypted, which was actually being
used ‑‑ the same cryptography was being used.
They added more obfuscation at this time.
So if you just looked at the two samples next to each other, without digging down deep,
you might say this is brand‑new code.
But you de‑obfuscate that, wait, they're using the same cryptography, okay, they're
even using the same keys.
That ends up being an interesting correlation to draw.
In the actual P sample, they removed the contact exfiltration.
So it was interesting.
It was interesting to see that these guys are attempting to evolve.
Maybe they decided we're going to steal everyone's contacts, maybe we're going to spam it.
Maybe they tried that technique and it didn't actually work out, so they ended up removing
it.
Maybe they saw like a correlation of people are downloading less things because they added
more permissions.
And then in the last sample that we saw, and this one is actually pretty recent, they've
actually moved the SMS and URL endpoints.
They're still encrypted, but they're not actually kept inside the package.
So what they're doing is they're actually contacting the URL and dynamicizing it.
They're dynamically retrieving that information.
So now you no longer have actual static configurations in the application.
So another interesting point when we were going through that obfuscation, and here's
a little example.
This is actually from Alpha SMS.
These people were building custom obfuscation tools.
And essentially if you know what Java code looks like, this is Smalley, which is a reverse
engineered ‑‑ basically taking the Dalvik byte code and putting it into human readable
format.
This is basically a Java reflection call.
And they're decrypting the string, which just looks like garbage essentially.
And then they're using that decrypted string to reflectively instantiate some function
methods.
So I believe this is actually the start of a send message function.
And it ends up being really interesting because when they're running these tools against all
their samples, almost weekly they were changing their obfuscation methods.
The patterns were essentially the same.
But you couldn't actually look for the same encrypted sequences or the same exact pattern.
It was very similar.
But once you start deobfuscating all these, the samples end up aligning again and you
see that code similarity coming back out.
A lot of people have looked at this and said, oh, okay, it's polymorphism, they're just
trying to change it all the time.
It ends up not being as scary once you understand what's actually going on.
But it is interesting to see that different organizations tend to start sharing their
obfuscation technique and you actually see them distributing malware that's using the
same techniques but then different seeds into that actual obfuscation.
One of the really interesting trends, we sat down with our data team and we were looking
at detection data.
And this is just a quick cross section of one specific family.
This one, I believe, was connect SMS.
And this is a little old for the data, but it does illustrate the point that each different
color is interactive.
A specific variant that was getting pushed out.
So essentially what we saw is that there was different package names getting pushed out
every single week.
And once you read through the noise, what was actually happening is these guys were
essentially operating as, like, a start‑up with, like, an agile type of methodology.
So as you can see, almost ‑‑ this ends up mapping out to be seven days.
So for seven days, they're going to be pushing the same exact piece of malware.
To thousands of devices.
And they keep just trying to jam it down the throat using spam techniques or getting infected
hosts to serve this up, like infected websites.
And what happens is almost right on midnight in Russian standard time ‑‑ that's not
actual standard time, but Russian time ‑‑ so basically at midnight, they switch over
and they just stop pushing that old piece of malware and they start pushing a new one.
So they're incrementally pushing updates.
So this is basically, you know, Russian malware.
Startup 101.
Which ends up being really interesting.
So while we're going through this, we actually came across not compatible.
This isn't actually SMS fraud.
But it is another interesting way to see how this mobile malware in Russia specifically
is being compartmentalized and actually commoditized.
This was an interesting one, essentially, because if you look at the diagram at the
bottom, they're infecting devices and essentially using, you know, people inside the U.S., people
in different countries as proxies.
To hide their traffic.
And you might think, like, well, who cares, like, what are they actually using this for?
It looked like what they were doing was they seemed to be buying up swaths of compromised
accounts or compromised websites, luring victims in through there, actually getting
the devices infected.
And now once you have someone in the U.S., maybe they're starting to sell these services
and actually let other people use that proxy connection.
So what this looks like it's going to be doing, and we've actually observed traffic of them
purchasing tickets online.
So this most likely is to evade actual fraud detection systems so that, you know, when
you see someone from Romania buying Justin Bieber tickets for L.A., that probably triggers
a flag and you're like, well, why is that ‑‑ I mean, everyone loves Justin Bieber, but Romania,
I don't know.
Like, it's a pretty long flight.
So they're actually going to go through and they're going to take a device that's infected
in L.A. and then they're going to just proxy their traffic through there.
They buy that ticket most likely with a stolen credit card.
They then have a mule pick up.
They pick it up.
Maybe they sell that.
They do something with that ticket.
But basically they're allowed to get around that fraud detection system because they look
like they're actually an endpoint that is a viable endpoint for purchasing that type
of work.
And I'm going to hand it back over to Ryan, which please buy him some drinks, too.
RYAN HOLIDAY- Thanks, Tim.
So I'll step back for a second.
So just to summarize, when we had this large amount, so these Russian SFS fraud organizations,
we noticed, were accounting for 30,000 tickets.
40% of our overall detections worldwide.
So that's a huge number.
And it's a huge number of samples of malware to look at.
So when we look at classifying them and doing the deep analysis, like Tim said, it's important
to not just call them all, oh, this sends an SMS, so I'll call it SMS send.
But really categorize it by individuals because they evolve differently.
Different actors act differently.
And once we started dividing them differently, we noticed certain particular actors evolving
different than the others.
And they appeared to be distributing at higher and higher rates.
And so this led us to find these SMS fraud basically cottage industries where there's
an entire industry built around SMS fraud.
And the entire distribution channel has been commoditized where everybody is getting paid
to do their little piece of the pie and they specialize in that specific thing, maybe distributing
or creating fake Web sites with realistic‑looking skins or themes.
Or some people specializing in social media distribution through Twitter or Facebook
or things like that.
But each person specializing in one thing or another.
And that has led to these top ten organizations that we've identified accounting for over
30% of the overall detections.
And that's quite significant.
So this is DEF CON after all.
So this is an investigation of Russian SMS fraud.
But it could also be called if you happen to find yourself in the Moscow international
transit area saving up for a permanent vacation.
In a South American country, which we all know there's other outs, here's how you might
find some extra cash.
But please don't.
I'm not advocating that.
So you might go to a chat room like this.
There's plenty of chat rooms ‑‑ or forums, rather, in Russia that are specialized in
what they call black SEO or Web monetization.
Some more gray than others.
There's lots of ways to monetize in Russia.
As I'm sure you guys are well aware.
And so this one, you might be searching for Android WAP.
WAP is the wireless application protocol.
And that's basically what Russians call the data channel over a cellular network.
So anything that has to deal with mobile data, they call WAP.
So these systems are typically called WAP click or WAP this, WAP that.
So you find one and it says that it has unique landing pages and it's the best of the best.
So you click on that and it tells you a few things.
It tells you they pay out.
Now, every Thursday it says that they will help you.
They have the best successful landing pages.
They'll help you distribute.
And essentially what this is, this is an advertisement for an affiliate system where you can sign
up and if you have mobile traffic, you can sign up and they will help you distribute
these Android malware that they'll custom package for you and deliver to your victims
transparent to you.
So you just set up websites.
You drive traffic.
You get money.
And to see how easy that is, I don't know if this video will play.
But yeah.
So they make it seem like child's play.
Like you sitting out on the beach, riding on top of mobile phones, coins dropping out
of the sky.
You have to do a little work, but we'll take care of the rest.
And that's essentially what these organizations are.
They take care of the technical parts.
They take care of the campaign running and things like that.
And you just have to deal with building out websites and making money.
So we have a live chat.
I'll go around it piece by piece.
So individually I'll talk about the HQ organizations is what we're calling them.
But there's basically these affiliate marketing headquarters.
These are the guys that say, we'll take care of building Android malware for you.
We'll take care of helping you run a successful campaign.
We'll tell you which campaigns are more successful.
So some of the themes that they look like, and I'll show you this later, they look like
opera.
They look like Skype.
They look like ICQ or flash.
So they'll tell you which ones work.
And in which countries and in which markets.
And they'll take care of all that for you.
They also take care of one of the things that that post said in the forum is that they also
have good relationships with the billing companies, with these SMS fraud billing companies.
So for those of you that don't know, I'm not sure if there's people in the room that
don't know, but SMS fraud is essentially you download an Android application and as soon
as it fires up, as soon as you launch the application, it sends off three text messages.
It can send off any number of text messages, but in most cases, it's three individual text
messages, usually distributed among different numbers so that if one doesn't succeed, the
others might.
And then they get a response back and say, I've sent the messages, and typically it'll
either close down or maybe they give you a coupon or a link or something, but not what
you were anticipating on downloading.
So these organizations, they have the business relationships with the SMS registrars.
And that's what they provide.
So they handle the business and the back end and the technical.
And I'll walk through what some of that looks like in just a second.
So what these organizations look like, if you went to their sites, some of them look
like fairly legitimate businesses.
Now this one looks like it's maybe from the 1980s, so you'd be a little bit skeptical.
But some of them are a little bit flashier.
They're more HTML5, you know, something that you'd be more comfortable with.
Some of them have like a nice milkman look to them.
But some of them don't.
Not all of them do.
Some of them try to hide what they're doing.
But because of that, so these other organizations that I showed you that appear to look squeaky
clean, they have open registration.
So anybody can sign up with a WebMoney account and an ICQ number and e‑mail address.
Now these guys are a little bit more skeptical.
They want to talk to you like on ICQ.
They want to know how much traffic you have.
Because they do ‑‑ so what Diff was talking about earlier, not all SMS malware is made
equal.
These guys actually do a lot of PII theft and they'll run botnet commands through your
account through the infection.
So they do a lot more than what the other guys do and their look should show that.
So what they also do is they try to promote affiliate distribution.
So they promote whoever is the top affiliates.
They try to encourage you to distribute more.
And they have ‑‑ all of them have top 20.
So they'll have like a listing of who their top affiliates.
These have badges of honor.
If you're top affiliates and they show you rankings like how many places you've moved
up and down.
And here's another one that looks quite similar.
Here you get the big chair.
If you won, it's a little classier.
And this is one of the top ‑‑ those two are the top distributors as far as the
HQ organizations as a whole.
And some of the other things that they do, we saw that they run quarterly competitions
also on top of the regular rates.
And again, if you're a top affiliate, most times you get additional payouts.
So the percentage will increase as you bump up to the top.
Once you become a top affiliate.
Because they don't want to lose you.
And so some of the other things that they do is run quarterly competitions.
So they have a summer competition that we just saw an announcement for that was ‑‑ they
were advertising 300,000 U.S. dollars in prize and ‑‑ cash and prizes.
So it's significant amounts of money.
And individual affiliates we've seen have made up to $12,000 per month sustained over
multiple months.
So this is a fairly significant industry for both the affiliates and these HQ organizations.
And so I mentioned before, affiliates can leave if they want to.
They're not tied to one of these distributor HQ organizations.
So they also provide news feeds.
They also provide customer service.
And some of the top affiliates actually go out and force rank these websites in, like,
customer service, payout, timeliness, and things like that.
So they operate, like Diff said, as a start‑up.
And they're pushing out new code and new features every two weeks because they want to keep
their affiliates happy and engaged.
So as an affiliate, you would come along and you could use these tools that they've built
and with almost no technical knowledge, no knowledge of how to build an Android application,
you could go through a step‑by‑step process of building one of them for you.
And I'll go through that step‑by‑step process with you right now.
You name your campaign.
So you can set up campaign A and campaign B.
And you can test one on one set of websites and one on another set of websites and you
can see which one does better.
Because these guys take it seriously like a business and they want to see which of their
investments are doing the best.
So second, you choose your targets.
So this site provides Android, IOS, and Symbian support.
So Symbian and IOS are very basic, whereas Android is very clearly the key target.
So then you pick a theme.
So here, these guys have maybe 50 different themes.
You have your typical porn and porn videos.
And then you have MP3s, free MP3s.
Those always do well.
But lately there's been a rise in things like Adobe Flash, the pop‑ups that say update
your flash or download the newest version of Skype or download Opera.
So you can choose the theme.
And here, this site even gives you a pop‑up that will tell you what the effectiveness
of that theme is.
So they'll tell you what the payout has been, what the success, the conversion ratio has
been.
What phase is it most successful?
How is it best distributed?
And they give you all sorts of tips so that you can pick out the best theme for your market.
Once you have that, they essentially give you copy and paste code.
You take some JavaScript, you put it into your landing page, you build out some websites,
and the JavaScript will automatically redirect your users to their download page.
Because these are custom‑built Android applications, they don't just build them and give the code
out, give the APKs out.
They build everything dynamically.
So they redirect all the traffic.
Traffic back to them, to these headquarters organizations.
And when the users or the victims come along, they download and they custom compile things.
And like Diff said, that's what leads to a lot of this individual hashes.
So you see different hashes.
But that's because every victim that comes along is getting a unique version, even though
the code is the same, the timestamps are going to be different, and maybe the theme is going
to be different because everything is extremely customizable in these applications.
These guys don't waste any time hard coding.
The information in there.
So all the SMS registration information, all the themes, everything is custom configurable
and templated.
So once you have these sites, once you have the Android campaign built out, you need to
distribute it.
And so you need to build convincing sites, you need to register convincing domain names
and you need to lure in some traffic.
And this is where the affiliates really go to work.
These are sort of the foot soldiers of these HQ organizations.
They put them out, put them to work, going out and registering these little accounts.
That way if they use any bad tactics that happen to work, like spamming, they can say,
well, we told them not to spam and you can just shut down those domains.
But the big domain and all the other affiliates are safe.
So the individual affiliates will build out pages.
Some of the pages we've seen look like this.
So this one is SEO optimized to look like a search query for Opera.
So you might search in Google and then be redirected to a page like this to download
Opera.
And then when you click anywhere on here, you would be redirected to what looks like
an Opera download page.
And once you've downloaded that, that would install on your phone and you would be charged
money.
One of the other popular scams is Google Play.
Obviously this doesn't look exactly like Google Play.
It's called Android Play.
But it's fairly convincing and generates a lot of revenue for these guys also.
And then if you want to download the Google Play market, you can do that.
And again, this looks convincing.
The domain is even convincing.
And that's how these guys generate the traffic to then push people to download these applications.
And then they're getting anywhere between $3 and $18 per download and install.
So once you've built out your websites as an affiliate, you need to drive traffic to
those sites.
So some of the ways that we've seen is through social media.
Twitter happens to be a common theme that's used by these guys.
Another common theme that we've seen is in the Russian network specifically.
They've started building rogue ad networks.
So Diff mentioned bad news.
This was an ad network that was built with the expressed intent of pushing malicious
links to these SMS fraud applications.
And so when a user would buy some sort of game application, they would see a pop-up
ad and it would say, you know, urgent, you need to update your Skype.
It's out of date.
And when they would click on it, they would download one of these ‑‑ they would be
redirected to one of these pages and download an application that would charge them anywhere
between $3 and $18 and then not give them Skype.
So what do some of these Twitter accounts look like?
We found over 50,000 Twitter accounts that were distributing spam‑type messages linking
back to these Russian advertising networks.
Some of them were more obvious than others.
This guy was ‑‑ I think ‑‑ I don't know.
He was tweeting out links to only the same domain and then just changing the page.
So that was a bit obvious.
Also he was sending out tweets three in one minute.
So he was very bursty and he was very greedy.
And you can see he sent out 3,600 tweets in a very short amount of time, and it may be
like six months.
But you can notice he doesn't have very many followers.
He's not following that many people.
So that's a lot of tweets for a guy with no friends.
So some ‑‑ like I said.
They're not as obvious.
The only thing obvious here is that this guy has the default profile picture.
So a lot of the Twitter accounts, because they're being bought up in blocks of like
10,000 Twitter accounts, they won't bother to customize the ‑‑ sorry, to customize
the profile picture.
So they'll leave the default profile picture up there.
And that's usually a fairly good indicator that they may be up to no good, but not necessarily
the only indicator.
So this guy you can see is more distributed.
He's even retweeting.
He's talking about lawyersonline.ru.
Legitimate traffic.
So he's interspersing normal conversations with his malware, and so he's trying to evade
a little bit more cleverly.
But ‑‑ and he's only sending 130 tweets with only one follower.
So he was caught because he was related to somebody else who was not so quiet.
So next, again, once you've built out this traffic.
You've sent people through Twitter back to these landing pages.
From the victim's perspective, you know, they would go click one of the advertisements.
They would click on one of the Twitter links.
Then they would go to the web page, the landing page.
They would download the application, and it would look like this.
So you see Google Play in the bottom left.
That doesn't really stand out as suspicious.
And that's basically the only thing that's real about the application.
Okay.
So you open it up, and at the top ‑‑ so I'll do some quasi‑translation for you.
At the top it's saying that this is important update.
And then it says that it's the new version of Android Market.
And then down at the second it says that it's installing.
And then here it says that it's installed.
And please click run.
And then the bottom button says run.
If you notice, there is some fine print on the bottom.
I don't know how many people actually read it.
But in this case it's kind of important because it tells you how much they're going to charge
you.
But again, when you downloaded it, there was nothing telling you that they were going
to charge you.
So if you notice from these landing pages, in order to comply with what these affiliate
HQ organizations say, they say their policy is you can't tell somebody that it's free,
but you also don't have to tell them that they're going to be charged for it.
Just putting this terms of service somewhere in the application is good enough.
And so in this case, there was a link at the bottom.
Maybe that's caveat emptor.
You should have known.
But in other cases, it's not as obvious.
So in this, I don't know if you can tell, but there's no links.
And all it says is if you're ready, click here to go to the next screen.
And if you look in the code, you would see that there's a lot of breaks, there's a lot
of new lines.
And they've essentially pushed the terms of service so far down, it's down there at
the bottom, that you would have to scroll down for about two minutes.
Before you ever get to the terms of service.
But technically it's there.
So again, instantly, once you've downloaded these applications, the only reason that that
install bar is up there, which by the way is just a JavaScript loop, it's not actually
tied to any progress, the only progress that it may be tied to is ensuring that they have
enough time to send out the three text messages before the application closes.
So the money goes directly out to the carriers.
In some cases.
In some cases you have some time to negotiate with the carriers and say, hey, that's not
‑‑ that wasn't a charge that I was expecting.
And depending on the carrier, depending on which country you're in, these windows of
time that you have to dispute vary.
So in the U.S. it's 60 days, up to 60 days.
But in other countries it's very slim.
And maybe potentially none.
In some cases it may go directly into their accounts.
And so once the money goes into the accounts.
The HQ organizations will take that money out and distribute it to the individual affiliates
that were responsible for generating those downloads.
And they have ways of tracking individual downloads that they're rewarding the right
peoples.
And so again, here's evidence of how much one person can make in a month.
And in this one case, this is just a one month, could be a one‑off.
But he made 600,000 rubles.
Which is roughly equivalent to 20,000 U.S. dollars in one month.
So you could save up for a pretty good vacation.
So some conclusions.
So we found ten Russian SMS fraud sites that accounted for over 30% of the worldwide malware
detections.
As Diff pointed out, and I think I've kind of pointed out also, the number of these detections
can be often inflated.
So in some cases we see over 100,000 unique samples.
But when we classify them the way that we do, we can condense them down into only 100 variants.
Of the same malware.
So reduce it, you know, significantly.
And track exactly what they're doing.
And by classifying it this way, we've been able to follow these individual malware that's
being distributed up through the distribution channels through the affiliates.
And some people may have stopped there.
So sometimes you might say, hey, we know where these download links are coming from.
We can just shut down those domains for these landing pages.
But then you'd be spending your time in the whack‑a‑mole game.
Because you'd be knocking down one affiliate and another one would pop up.
And then you'd knock down another affiliate.
And another one would pop up.
But by seeing all the way back to the headquarter organizations, you can see the entire picture
and step out of the whack‑a‑mole game a bit and see where the key linchpin pieces
are.
And so SMS fraud is a very diverse threat, requires careful categorization.
Just because it sends an SMS does not make it the same.
As Dip pointed out, some applications will try to steal more data and try to do more
harm.
And we've seen commoditization.
So here we're seeing commoditization similar to how we've seen PC crime ware happening
in Russia.
And this is the first big instance of commoditization in an actual industry around mobile malware.
And so that's a significant development, that this isn't just one guy developing software,
but it's one guy developing software, selling it to a larger organization who has connections
to SMS registrars and have maybe thousands of affiliates distributing the malware.
And then those affiliates have people building websites for them and generating social media
traffic for them.
And so there's a fairly large and broad industry involved in the distribution of these very
few organizations' malware.
And so I'll let Dip come up and thank a few people.
But I'd like to thank the entire R&R and security team at Lookout.
There's a lot of people in the background that did a lot of work here.
Dip and I are just the people that are lucky enough to be standing up at Lookout.
But certainly there's a lot of others doing a lot of hard work on our team at Lookout.
I'd like to also thank the Honey Net Project.
There's a lot of people in that organization that I've stood on the shoulders of and certainly
learned a lot, especially in this type of investigation.
And then Dip.
DIP PANKAJUK, A lot of the samples that we actually went through, and we submit a lot
of samples to Mila, which thank you to Mila for running the contagio mini malware dump.
If you ever want to have some fun things to look at for reverse engineering, she also has
lots of crimeware kits up there.
But there's lots of actual mobile malware.
If there's any other specific samples that aren't up there, feel free to reach out to
us.
We're always in the mood for sharing and trying to, you know, make new friends and share techniques
and whatnot.
Also, just for Android reversing in general, you should follow a lot of these guys.
These are all their Twitter handles.
Jay Duck does some really interesting stuff.
Puff and Thomas Cannon from Vya Forensics, really, really smart guys.
Anthony Desnos, he's the creator of AndroGuard.
And I'll leave that up to you.
A really interesting guy, OSX Reverser, that's Fractal G.
He's a guy based out of Portugal.
You should really follow him.
He does some really interesting stuff based around the economics of malware and root kits.
He's the one who's always making fun of Hack Team for Crisis and whatnot.
So he's showing people how to make better root kits, and he's done some really interesting
stuff.
And like I said, it's a really interesting perspective looking at the economics of malware
and what the return on investment is for all that.
Other than that, Justin Case in Gunther.
Thank you.
And Crypto Girl from Fortinet.
Really great people to follow, and you'll be able to stay up to date on the most really
interesting Android malware and just the rooting scene in general.
And then if you'd like to see more information, we actually post it on our blog, so blog.lookout.com.
There's a ‑‑ it's about like a ten‑page, almost like a white paper, and it has a lot
more technical details that we kind of tried to skim over to prevent you guys from getting
pre‑lunch, post‑lunch coma.
Thank you.
Come down and do your homework.
And have a wonderful day.
Bye.
Bye.
Bye.
Bye.
Bye.
Bye.
Bye.
Bye.
Bye.
